APT28 Credential Harvest

active

Attacker Type

AI AGENT

Confidence

94%

Kill Chain

Credential Access

Events

247

CRS Score

Elapsed

EVENT TIMELINE

critical14:22:00

Password spray detected on VPN gateway (1,247 attempts/sec)

high14:22:05

SAML assertion forging attempt detected

info14:22:12

CIE: Honeypot credentials deployed to Active Directory

critical14:22:30

Attacker consumed poisoned credential: svc-backup-01

info14:22:45

CIE: Pre-blocked 14 lateral movement paths

high14:23:30

LDAP enumeration detected, tarpit activated

medium14:25:00

Attacker attempting Kerberoasting (trapped in tarpit)

ATTACK NARRATIVE

An AI-driven attacker attributed to APT28 infrastructure initiated a credential harvesting campaign targeting Active Directory service accounts. The attack began with password spray attempts against externally exposed VPN endpoints, followed by exploitation of a misconfigured SAML provider. The Counter-Insurgency Engine detected the initial access within 12ms and deployed adaptive honeypot credentials. The attacker has consumed 3 of 7 poisoned credentials, revealing their lateral movement playbook. Pre-blocking of 14 predicted attack paths is complete. The attacker is currently trapped in a behavioral tarpit designed to waste their computational resources while we map their full infrastructure.

Affected Assets

ad-controller-01vpn-gateway-prodsaml-proxy-01ldap-server-02

Agent Layers Involved

identitynetworkinfra

PREDICTED NEXT MOVES

01Kerberoasting against AD service accounts

02LDAP enumeration for privileged groups

03Pass-the-hash to domain controller

Pre-Blocked Paths

BLOCKEDKerberoasting against AD service accounts

BLOCKEDLDAP enumeration for privileged groups

BLOCKEDPass-the-hash to domain controller

COUNTER-ACTIONS EXECUTED

Deployed 7 honeypot credentials to AD

14:22:12

92%

Blocked 14 predicted lateral movement paths

14:22:45

88%

Activated behavioral tarpit on LDAP

14:23:30

95%

Injected adversarial noise into enumeration responses

14:25:00

91%